Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove wild cards/suffix values from values of hostname?

srv007
Path Finder
‎08-09-2023 11:09 AM

below is my search query

index="inm_inventory"
|table inventory_date, region, vm_name, version
|dedup vm_name | search vm_name="*old*" OR vm_name="*restore*"


output as below :

srv007_1-1691604249760.png

The challenge here is each vm_name has different suffix added and its not standard since any user adds any comment to to it so it could be anything. how do i perform look for the vm names since lookup file only has hostnames and no suffix.

i have a lookup file named itso.csv which has details like hostname(all in lower case), tier, owner, country. I want to use lookup in my main search for the fields tier, owner, country

srv007_2-1691604279711.png

end requirement is to do lookup for the vm_name in itso.csv file and add details like tier, countrycode, owner in the main search output.

Labels (4)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 05:26 AM 
| rex field=vm_name "^#*(?<real_vm_name>[a-z0-9]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2023 12:01 AM 
| rex field=vm_name "^(?<real_vm_name>[a-z0-9]+)"
| lookup itso.csv hostname as real_vm_name
Reply
Solved! Jump to solution

srv007
Path Finder
‎08-14-2023 04:52 AM

This did help actually.
few hosts have entries like ###gbl12344 - old###
anyway to fetch only hostname for such cases?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-14-2023 09:51 AM

Given that no real hostname begins with pound sign, you can use ltrim.

index="inm_inventory"
|dedup vm_name | search vm_name="*old*" OR vm_name="*restore*"
| eval vm_name = ltrim(mvindex(split(vm_name, " "), 0), "#")
|table inventory_date, region, vm_name, version

ltrim and split use fixed patterns,  therefore less compute and RAM.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-14-2023 05:26 AM 
| rex field=vm_name "^#*(?<real_vm_name>[a-z0-9]+)"
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 05:20 PM

I suspect that people got confused by the field name "vm_name".  From your description, this is a free-text field that users can add additional string after the real hostname.  Dealing with human input can be challenging.  It will depend on how careful the user is, what kind of separator they use after hostname, and what characteristics the hostname string may have.

Take the simplest case where the user always added a white space before entering their comments (and that hostname itself doesn't contain white space, and that there is no leading whitespace in the field), you can do

index="inm_inventory"
|dedup vm_name | search vm_name="*old*" OR vm_name="*restore*"
| eval vm_name = mvindex(split(vm_name, " "), 0)
|table inventory_date, region, vm_name, version

(I moved table command to last as this can improve performance.  If you want to restrict number of fields carried into dedup command, use fields instead of table.)

0 Karma
Reply
Solved! Jump to solution

srv007
Path Finder
‎08-11-2023 03:09 AM

Any guidance/help is appreciated 

0 Karma
Reply
Solved! Jump to solution

srv007
Path Finder
‎08-09-2023 11:11 AM

##Note - Also point to be noted that some hostname can be of 6 characters some can be 8 and like so extracting hostname as number of characters might not be suitable.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...